Business email compromise (BEC) is the most recent variant of a sophisticated cyberattack in which an attacker hacks into a corporate email account and impersonates the company’s financial officer or CEO in order to defraud the company, its employees, customers, and partners into sending money, personally identifiable information (PII), or material goods.
BEC attacks are particularly dangerous because they target businesses with large sums of money in their bank accounts (although any organization or individual can be a target).
The attackers also have intimate knowledge of the company’s structure and operations, making it difficult for employees to distinguish legitimate from fraudulent requests.
In a BEC attack, who is targeted?
When it comes to choosing their next assault target, cyber criminals all have distinct motivations.
If they employ technology in their business function, everyone at every level of the organization is vulnerable to this type of digital attack.
Employees with access to confidential information such as new products, client details, and funding reports could be targeted by email.
Furthermore, the attacker may target entry-level employees who have not been sufficiently taught in recognizing business email compromise techniques such as Phishing.
As businesses scrambled to allow workers to work from home during the first wave of the pandemic, the volume of phishing emails skyrocketed.
Hackers took advantage of unfamiliar remote work settings, according to IBM, which reported an 11% increase in BEC attacks in the Q2 of 2020.
Aerion Technologies received a number of phishing emails last year.
An employee’s email was compromised after an attacker intercepted an email from a client requesting that they change their bank details for the next time they paid an invoice.
Fortunately, the client contacted the company’s account department to confirm the change, and the risks were prevented.
If an organization’s email system is compromised, it can have disastrous consequences such as the leakage of proprietary data, the compromise of business secrets, and the compromise of PII.
And there are numerous other costs to consider, including the costs of incident response tasks and teams, legal actions, and irreversible reputational damage.
So, the best way to protect your company from BEC scams is to be aware of the tactics and processes used by attackers.
How Does a BEC Attack Work?
No specialized tools or tradecraft are needed to carry out BEC attacks. They come in a variety of forms, with the level of sophistication depending on the attacker’s motivation, goals, and ability.
A typical BEC assault is consists of identifying the target, grooming, exchange of information, and lastly, the transfer of funds.
Phase 1: Research and identify the target victim
A criminal organization does research on the victim to create an accurate profile of the business.
Attackers hunt for the identities and positions of firm executives or employees who have access to personnel records or financial data using publicly available information discovered on LinkedIn, Facebook, Google, and other sites.
They comb through social media, websites, internet articles, the dark web, and other sources for information about the organization and its workers. Attackers that infect a company’s network with malware may spend weeks or months monitoring information on vendors, billing and payment systems, and even employee vacation schedules.
BEC attacks typically target executives or workers with the authority to make payments on behalf of their companies.
Phase 2: The grooming process
The attacker proceeds on to phase 2, the grooming phase, with the information gathered in phase 1.
During this phase, the attacker targets personnel with access to company money through spear-phishing, phone calls, or other social engineering techniques. They prepare the attack by spoofing email addresses or impersonating a trustworthy vendor, or even gaining access to the victim’s colleague. They will then exert pressure on the employee to act quickly.
And in order to create trust, the grooming process often requires several days of back-and-forth dialogue.
Phase 3: Exchange of information and attack execution
Depending on the adversary’s thoroughness, the real BEC attack can take place in a single email or an entire thread. This communication frequently employs persuasion, urgency, and authority.
In this phase, the victim is led to believe he is undertaking a legitimate commercial transaction and given wire transfer instructions.
The attacker then gives the victim wiring instructions to facilitate payments to a phony account once the victim is convinced that he or she is performing a legitimate transaction.
Phase 4: Payment
Finally, funds are transferred and deposited into the criminal organization’s bank account.
Once the funds have been sent to the attacker, they are promptly collected and dispersed among various accounts to limit traceability and retrieval chances.
3 ways to mitigate the risks of BEC attacks
BEC attacks put businesses of all sizes at risk of significant financial losses. So, let’s look at three ways to reduce these risks.
1. Beware of common BEC attack scenarios
Criminals frequently use the following strategies to carry out BEC scams:
● Scammers (usually appearing as attorneys or executives) send victims fake emails in order to persuade them to wire money in favor of a business deal, such as an acquisition that the victim’s firm is undertaking. These emails pretend to be urgent and demand the victim’s confidentiality.
● Victims receive an email inviting them to send money to a specific account using a spoof domain name. The mail comes from a domain that appears to be legitimate at first glance but has been subtly altered. These assaults take advantage of the victims’ inattention to sender data.
● Electronic communications are sent in the name of one of the company’s vendors. Because the scammer has hacked into the vendor’s email account, the sender’s domain name is genuine, and the transaction appears legitimate. However, the processing details direct payment to an account controlled by the scammer.
2. Educate and train employees to recognize BEC attacks
One of the most effective ways to avoid a BEC attack is to educate your employees on the scam. They must be aware of the warning signs of a scam email.
Provide your employees with adequate cybersecurity training. They should be aware of the risks and consequences of these attacks, as well as how to respond in the event of an incident.
A solid understanding of cybersecurity best practices can instill a sense of accountability throughout the organization.
3. Build a layered defense
BEC is not necessarily technically sophisticated.
The majority of BEC attacks begin with spear-phishing or spoofing an internal email account. IT controls such as application-based multi-factor Authentication is sometimes used interchangeably with authorization. However, they provide two different services or features to any system you are... (MFA) and virtual private networks can help to prevent or detect them (VPNs).
Another effective anti-BEC strategy is to use encryption to authenticate emails and allow users to exchange data in a secure manner.
Encryption software converts data into code for transmission over a network. Without a ‘public key’ to decrypt the data, the transmission is unintelligible.
Understanding how BEC attacks work and taking the necessary precautions to protect yourself can help reduce your chances of becoming a victim. We’ve outlined the stages of the attack and various ways to keep your company safe from the attack in this blog post.
If you found this article useful today, please share them with others who may require protection as well!